Two-year-old Windigo may also have infected kernel.org Linux developers.

Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages.

Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation's kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services.

The Eset researchers, who have been instrumental in uncovering similar campaigns compromising large numbers of servers running the nginx, Lighttpd, and Apache Web servers, said the latest campaign has the potential to inflict significant harm on the Internet at large. They explained:

The number of systems affected by Operation Windigo might seem small when compared with recent malware outbreaks where millions of desktops are infected. It is important to keep in mind that, in this case, each infected system is a server. These usually offer services to numerous users and are equipped with far more resources in terms of bandwidth, storage and computation power than normal personal computers. A denial of service attack or a spam-sending operation using one thousand servers is going to be far more effective than the same operation performed with the same number of desktop computers.

Remember the kernel.org hack?

Tuesday's report is also notable because it may provide important new details about the 2011 compromise that gained unfettered access to servers belonging to kernel.org, the group that maintains and distributes the Linux operating system kernel. Leaders of the Linux Foundation reneged on a promise to provide a full autopsy of the attack, leaving the motives of the attackers a mystery.

According to Eset, kernel.org servers were probably infected by a second piece of malware dubbed Linux/Ebury, an OpenSSH backdoor used to keep control of the servers and steal credentials. Ebury runs mostly on Linux servers and provides a root backdoor shell access to infected servers, giving it the ability to steal SSH credentials.

"The timeline is interesting as well," Eset researchers wrote in the report. "While Phalanx2 had been used in many compromises before, it has not, to our knowledge, been seen in the wild after the Linux Foundation compromise. Interestingly, this was the first known case involving Linux/Ebury."

In addition to Linux/Ebury, one of the other main malware components comprising Windigo includes Linux/Cdorked, an HTTP backdoor used to redirect website visitors to malicious software exploits and fraudulent content. A third component, known as Perl/Calfbot, is a Perl script that causes infected machines to send spam. Curiously, the Eset report makes no reference to Darkleech, an exploitation toolkit that last year infected an estimated 20,000 websites running Apache.

Further Reading

The Windigo campaign doesn't rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials. That finding led the researchers to conclude password authentication to access servers is inadequate. Instead, people should rely on two-factor authentication. People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:

Eset strongly recommends that operating systems of infected machines be completely reinstalled. They also advise all credentials stored on the infected machines or used to log into them be considered compromised. Given the difficulty many server administrators have reported fully eradicating Cdorked, Darkleech, and other malware attacking production servers, the advice makes sense.

I thought the first post would be "Well... any competent Linux sysadmin wouldn't have been comprised.. they'd have scripted this... set this to read-only... set the other thing to overwrite itself daily... this only weeds out the weak sysadmins. Survival of the Fittest!!!!"

Call me paranoid, but i am pretty sure that MS is behind that. Just another FUD tactic.Don't let yourself get confused, Linux is safe from malware.

Please tell me you're being sarcastic... No operating system is "safe from malware." If it isn't fully patched it is vulnerable. In fact even fully patched stuff can be vulnerable. I don't care what platform you're on.

Funny how this article should show up as I am moving server to due to exessive uncontrolable email spam on my old VPS. What I discovered was at least 10+ vectors that managed to pillage my VPS to pieces and pretty much used up all SMTP relays daily.

Multiple instances of php files to trigger smtp scripts. Everything encoded with base64 in several locations on the cPanel client areas (websites). This was far the worste most uncontrolable hack I have encountered on a linux web server.

Not only that, but it seems like they managed to gain access to the DNS settings and add a DNS autodiscover towards tpc in the SRV settings for one particular client, that had his web space compromised by email exploits in more than 5 places.

Somewhere, one of my clients(customer) had a leak, into his DNS at the same time as the server was pretty much over taken by these guys. Very impressive if they gained access to the server through a broken client that I send passwords over email to his web space/ftp.

Call me paranoid, but i am pretty sure that MS is behind that. Just another FUD tactic.Don't let yourself get confused, Linux is safe from malware.

Please tell me you're being sarcastic... No operating system is "safe from malware." If it isn't fully patched it is vulnerable. In fact even fully patched stuff can be vulnerable. I don't care what platform you're on.

This. Even if you're fully patched, you're just protected against known exploits the developers have bothered to fix so far. Who knows if you're really secure.

The only safe computer is a computer with no power, in a sealed concrete case+Faraday cage, that has no relevant data on it. Otherwise, its susceptible to attack. The moment anything connects to your computer, you're able to be compromised.

Is there any other easy way to test if your system is vulnerable/infected other than the ssh command listed at the end of the article? I've got a lot of servers that don't have an SSH client installed, so it would always trigger as infected due to the ssh command throwing an error.

I'm sure I'm not the only one that has servers deployed without an SSH client on them. CentOS minimal install doesn't include one, and I doubt I'm the only one that's ever used that version.

EDIT: I guess I didn't really understand the complete part of the exploit. Apparently it uses a modified SSH binary? So if I don't have SSH on a server, its not infected by this, right?

That finding led the researchers to conclude password authentication to access servers is inadequate. Instead, people should rely on two-factor authentication. People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:

The only safe computer is a computer with no power, in a sealed concrete case+Faraday cage, that has no relevant data on it. Otherwise, its susceptible to attack. The moment anything connects to your computer, you're able to be compromised.

I have a secure computer... unplugged, in the basement, covered in dust....

The only safe computer is a computer with no power, in a sealed concrete case+Faraday cage, that has no relevant data on it. Otherwise, its susceptible to attack. The moment anything connects to your computer, you're able to be compromised.

I have a secure computer... unplugged, in the basement, covered in dust....

What kind of protections do you have for your basement? Basic key locks to your house I'd assume, and then probably no lock to the basement? Tisk tisk tisk...poor physical security Where's the two-factor access control? Where's the man trap to prevent tailgaters? I hope you keep detailed logs of all access to and from the secure area...

Maybe this is an ignorant question, but how do we get to the root cause and fix this issue as a whole? Is the root problem just that humans program computers and thus there WILL be vulnerabilities, and since there will be vulnerabilities, they will be exploited? Is it ever safe to feel safe? The more I learn about cryptography and security, the less I want to trust computers anywhere. Yet I'm forced to trust them to more and more of my life every day. Maybe I should become a luddite. I guess I'm asking, is it even theoretically possible to build something that you KNOW is secure?

I kind of liked it when back in the old days I believed that *nix == impervious to anything. (No, I don't believe that ignorance is bliss--or I would staunchly avoid Dan Goodin's articles.)

Maybe this is an ignorant question, but how do we get to the root cause and fix this issue as a whole? Is the root problem just that humans program computers and thus there WILL be vulnerabilities, and since there will be vulnerabilities, they will be exploited? Is it ever safe to feel safe? The more I learn about cryptography and security, the less I want to trust computers anywhere. Yet I'm forced to trust them to more and more of my life every day. Maybe I should become a luddite. I guess I'm asking, is it even theoretically possible to build something that you KNOW is secure?

I kind of liked it when back in the old days I believed that *nix == impervious to anything. (No, I don't believe that ignorance is bliss--or I would staunchly avoid Dan Goodin's articles.)

That's like asking if anybody can 100% guarantee that you won't be involved in a car accident. There are certainly things you can do to mitigate the risks. If you're a server admin you can install tripwire to make sure your binaries don't change without you knowing, you can tweak your iptables so that you only expose the barest minimum attack surface, constantly audit your logs and cronjobs, make sure that your security packages are up-to-date, the list really goes on.

As a desktop user, make sure your OS is always updated, don't install cracked software, if you must pirate, do so in a virtual machine and make sure your booty is clean before you let it touch your underlying OS, always surf behind a hardware firewall, and generally don't be stupid.

You'll never be able to eliminate the risks, but you can certainly take steps to minimize them.

That's like asking if anybody can 100% guarantee that you won't be involved in a car accident. There are certainly things you can do to mitigate the risks. If you're a server admin you can install tripwire to make sure your binaries don't change without you knowing, you can tweak your iptables so that you only expose the barest minimum attack surface, constantly audit your logs and cronjobs, make sure that your security packages are up-to-date, the list really goes on.

As a desktop user, make sure your OS is always updated, don't install cracked software, if you must pirate, do so in a virtual machine and make sure your booty is clean before you let it touch your underlying OS, always surf behind a hardware firewall, and generally don't be stupid.

You'll never be able to eliminate the risks, but you can certainly take steps to minimize them.

Thanks. That's a good analogy and makes a lot of sense. The benefits of driving outweigh the risk. Same with technology. But wear your seatbelt.

I kind of liked it when back in the old days I believed that *nix == impervious to anything.

Ken Thompson and Dennis Ritchies begin work on UNICS (the precursor to UNIX) in 1969, and the first production instance of Unix was installed in early 1972. The first "hackers" are traced back to MIT also in 1969 where students & faculty modified both software & hardware to suit their needs.

In other words, people were hacking *nix before it even became a commercially viable product...

I kind of liked it when back in the old days I believed that *nix == impervious to anything.

Ken Thompson and Dennis Ritchies begin work on UNICS (the precursor to UNIX) in 1969, and the first production instance of Unix was installed in early 1972. The first "hackers" are traced back to MIT also in 1969 where students & faculty modified both software & hardware to suit their needs.

In other words, people were hacking *nix before it even became a commercially viable product...

Back in my AOL days in the early 2k's, when I first heard of Linux, the way I usually heard it reported was that it couldn't be hacked, viruses were impossible because of the way it's designed, etc. I think that perception still exists among a large portion of those who know *nix exists.

Call me paranoid, but i am pretty sure that MS is behind that. Just another FUD tactic.Don't let yourself get confused, Linux is safe from malware.

Please tell me you're being sarcastic... No operating system is "safe from malware." If it isn't fully patched it is vulnerable. In fact even fully patched stuff can be vulnerable. I don't care what platform you're on.

The only reason there isn't more Linux/Unix malware is that until recently there hasn't been a large enough installed base on important computers to make it worthwhile to spend the time developing the malware. Now there is.

I'll bet that 10,000 is a much higher percentage of all the Linux servers in the whole world, than 10,000 Windows servers.

I'll bet that 10,000 is a much higher percentage of all the Linux servers in the whole world, than 10,000 Windows servers.

Really? I wouldn't bet that way. In web servers Linux leads by most numbers you can find. Mainframes are either Linux or some other *nix. HPC servers are something like 90% Linux. In other corporate servers Windows may lead, but enough to catch up?

Call me paranoid, but i am pretty sure that MS is behind that. Just another FUD tactic.Don't let yourself get confused, Linux is safe from malware.

Please tell me you're being sarcastic... No operating system is "safe from malware." If it isn't fully patched it is vulnerable. In fact even fully patched stuff can be vulnerable. I don't care what platform you're on.

The only reason there isn't more Linux/Unix malware is that until recently there hasn't been a large enough installed base on important computers to make it worthwhile to spend the time developing the malware. Now there is.

I'll bet that 10,000 is a much higher percentage of all the Linux servers in the whole world, than 10,000 Windows servers.

You would lose that bet. Linux runs far more servers in the world than Windows. Windows has slowly been making more progress in this area but they have a long way to go to catch up to Linux in their server market.

Call me paranoid, but i am pretty sure that MS is behind that. Just another FUD tactic.Don't let yourself get confused, Linux is safe from malware.

Please tell me you're being sarcastic... No operating system is "safe from malware." If it isn't fully patched it is vulnerable. In fact even fully patched stuff can be vulnerable. I don't care what platform you're on.

The only reason there isn't more Linux/Unix malware is that until recently there hasn't been a large enough installed base on important computers to make it worthwhile to spend the time developing the malware. Now there is.

I'll bet that 10,000 is a much higher percentage of all the Linux servers in the whole world, than 10,000 Windows servers.

You would lose that bet. Linux runs far more servers in the world than Windows. Windows has slowly been making more progress in this area but they have a long way to go to catch up to Linux in their server market.

Besides, Gibsons don't run windows. and we all know that the hax0rs can't wait to cr@ck them a Gibson.